i m using moodle framework and passwordsaltman encryption please help me out how to decrypt it any script or any way how?????
It is normal practice to "encrypt" passwords by sending them through a http://en.wikipedia.org/wiki/Cryptographic_hash_function. In the case of Moodle the function is http://en.wikipedia.org/wiki/MD5. See function hash_internal_user_password($password) in lib/moodlelib.php.
An important property of such functions is that they are irreversible ("it is infeasible to generate a message that has a given hash").
An important property of such functions is that they are irreversible ("it is infeasible to generate a message that has a given hash").
...even if it was possible, do you think it would be a good idea to have a Forum post here explaining how to do it !?!? lol
If Moodle uses a reversible algorithm and keeps it secret, how long would it take to a cracker to find the answer?
The fundamental question is, how Open Source Software can hide such information?
The fundamental question is, how Open Source Software can hide such information?
Moodle does not encrypt passwords. It hashes them using a one-way hash function.
This is common practice, in irreversible by design.
Hi Tim Hunt,
I
need some help regarding the same. I want to add a column in mdl_user
in which original password of user in stored (Not hashed). Is there a
way to achieve this? In which file moodle does its insert query for the
password?
Here is the right way to do this:
Don't
Hi Tim,
I know it is not at all a good practice. But i have got a task from my employer that the admin should be able to login to any user's account. Please help me what should i do?
Moodle admin can login into any user account without knowing the password using the "login as" feature. No need to change anything in Moodle or reveal passwords.
I have no idea if this is a serious question or some trolling. Either way, I think it's important to understand why password salts exist.
The original design was to simply 'md5' the password. The problem with that is that if you use a common word for a password and someone gets hold of the hashed password it is trivial to reverse. This is no big secret, there are sites that have database of common (and not so common) md5 hashes and can easily decode them.
However, if you use a lengthy and reasonably random salt this all but makes this impossible. It's still theoretically possible to crack passwords if you know the salt and the method used (easy enough with Moodle) but it would still only work for 'dictionary' words.
So... use a good salt, leave the password restriction settings turned up and keep your salt secret. In which case, it's near enough to impossible to decode the passwords.
However, to answer the original question as posed, no you cannot. That's the idea!
The original design was to simply 'md5' the password. The problem with that is that if you use a common word for a password and someone gets hold of the hashed password it is trivial to reverse. This is no big secret, there are sites that have database of common (and not so common) md5 hashes and can easily decode them.
However, if you use a lengthy and reasonably random salt this all but makes this impossible. It's still theoretically possible to crack passwords if you know the salt and the method used (easy enough with Moodle) but it would still only work for 'dictionary' words.
So... use a good salt, leave the password restriction settings turned up and keep your salt secret. In which case, it's near enough to impossible to decode the passwords.
However, to answer the original question as posed, no you cannot. That's the idea!